Home
Certification Preparation
Cisco
CCNP
CCNP Security
Real World Problem: Wierd ICMP
Ahriakin
Using a PIX 515, 6.3(5) feeding to a Syslog server. In the last 2 days I started seeing the following:
"......305005: No Translation group found for ICP src inside: 12.x.x.166 dst outside 12.x.x.165 (type 11, code 0)
I've done some googling around and this is usually due to no translation existing for the addresses (duh). The wierd part is these addresses are both public IPs that are nowhere near our range. Plus it claims to be coming in on the inside interface. There's no reference to the source address in any of the ARP caches I've tried. We have a parallel connection between our US sites using an AT&T eVPN service and these IPs are AT&T owned which is the only thing I can think of. ICMP is allowed purely for echo-replies from 3 of our servers Public IPs, otherwise restricted (And that policy has been in place for about a month). The only recent change I made was to add an IDS policy to drop packets instead of the global alert policy but I'm not sure exactly when this kicked off (had issues with the Syslog server for 2 days).
Any ideas?
Find more posts tagged with
Comments
Ahriakin
Not that it's rousing too much interest but I finally got around to mirroring the PIX switch port to a monitor port and letting ethereal loose on the connection. Absolutely no sign of this ICMP source or anything to do with these IPs. Just to be sure it wasn't some weird conflict from the outside interface being mislabeled I applied a specific block for ICMP to/from these hosts (they were failing due to translation anyway but I wanted to see if they really did bounce off the inside interface) the ACL shows hits every few minutes.
Beeeezzzaaaaarrrreeeee.
Ahriakin
Yeah the post that won't go away
. Anyway fixed it. I couldn't trace the traffic down on any of our devices and our Managed Service provider were sure it was't coming in via their router either (it's not in their service IP range) - I asked them to put an ACL outbound from their to our network anywa to deny the source IP and voila, no more hits on our side of the fence.
That's all, only updating this in case anyone runs into something similar (personally I kinda hate googling, finding a similar issue and then just seeing something like "Its fixed...(the end)".
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
